深入理解 Yum 的 gpgcheck

学习教程

Secure distribution of RPM packages

实验测试 gpg

  • 创建私有库 privateRepo

    mkdir /home/privateRepo/
  • 上传未签名的 rpm 包至/home/privateRepo/

    rpm -pqi /home/privateRepo/jdk-10.0.1_linux-x64_bin.rpm
    
    Name        : jdk-10.0.1                   Relocations: /usr/java
    Version     : 10.0.1                            Vendor: Oracle America
    Release     : ga                            Build Date: Tue 27 Mar 2018 01:24:18 AM GMT
    Install Date: (not installed)               Build Host: sca00ida.us.oracle.com
    Group       : Development/Tools             Source RPM: jdk-10.0.1-10.0.1-ga.src.rpm
    Size        : 578524676                        License: http://java.com/license
    Signature   : (none)
    URL         : URL_REF
    Summary     : Java Platform Standard Edition Development Kit
    Description :
    The Java Platform Standard Edition Development Kit (JDK) includes both
    the runtime environment (Java Virtual Machine, the Java platform classes
    and supporting files) and development tools (compilers, debuggers,
  • 添加 gpgcheck

    vi /etc/yum.repos.d/privateRepo.repo
    
    [privateRepo]
    name=privateRepo-gpg-test
    baseurl=file:///home/privateRepo
    enabled=1
    gpgcheck=1
  • 构建索引

    createrepo /home/privateRepo/
    Spawning worker 0 with 1 pkgs
    Workers Finished
    Gathering worker results
    
    Saving Primary metadata
    Saving file lists metadata
    Saving other metadata
    Generating sqlite DBs
    Sqlite DBs complete
  • yum 查询

    yum clean all
    yum list|grep jdk
    
    jdk-10.0.1.x86_64                2000:10.0.1-ga              privateRepo
  • 安装 jdk-10.0.1.x86_64

    yum install jdk-10.0.1.x86_64
    Loaded plugins: fastestmirror, post-transaction-actions
    Setting up Install Process
    Loading mirror speeds from cached hostfile
    Resolving Dependencies
    --> Running transaction check
    ---> Package jdk-10.0.1.x86_64 2000:10.0.1-ga will be installed
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ============================================================================================================================================
    Package                          Arch                         Version                              Repository                         Size
    ============================================================================================================================================
    Installing:
    jdk-10.0.1                       x86_64                       2000:10.0.1-ga                       privateRepo                       306 M
    
    Transaction Summary
    ============================================================================================================================================
    Install       1 Package(s)
    
    Total download size: 306 M
    Installed size: 552 M
    Is this ok [y/N]: y
    Downloading Packages:
    
    Package jdk-10.0.1_linux-x64_bin.rpm is not signed
  • 安装失败
  • 加签名

    gpg --list-keys
    /home/nobody/.gnupg/pubring.gpg
    -------------------------------
    pub   2048R/230C0099 2016-03-15
    uid                  Gavin Ni <guani@cisco.com>
    sub   2048R/3E679AEF 2016-03-15
    gpg --export -a guani@cisco.com > /home/nobody/privateRepo.key
    rpm --define '_gpg_name Gavin Ni' --define '_gpg_path /home/nobody/.gnupg' --addsign /home/privateRepo/jdk-10.0.1_linux-x64_bin.rpm
    Enter pass phrase:
    gpg: WARNING: unsafe ownership on homedir `/home/nobody/.gnupg'
    Pass phrase is good.
    /home/privateRepo/jdk-10.0.1_linux-x64_bin.rpm:
    gpg: WARNING: unsafe ownership on homedir `/home/nobody/.gnupg'
    gpg: WARNING: unsafe ownership on homedir `/home/nobody/.gnupg'
  • 验证 sign

    rpm -pqi /home/privateRepo/jdk-10.0.1_linux-x64_bin.rpm
    Name        : jdk-10.0.1                   Relocations: /usr/java
    Version     : 10.0.1                            Vendor: Oracle America
    Release     : ga                            Build Date: Tue 27 Mar 2018 01:24:18 AM GMT
    Install Date: (not installed)               Build Host: sca00ida.us.oracle.com
    Group       : Development/Tools             Source RPM: jdk-10.0.1-10.0.1-ga.src.rpm
    Size        : 578524676                        License: http://java.com/license
    Signature   : RSA/SHA1, Thu 30 Aug 2018 03:30:08 AM GMT, Key ID 952e62c3230c0099
    URL         : URL_REF
    Summary     : Java Platform Standard Edition Development Kit
    Description :
    The Java Platform Standard Edition Development Kit (JDK) includes both
    the runtime environment (Java Virtual Machine, the Java platform classes
    and supporting files) and development tools (compilers, debuggers,
    tool libraries and other tools).
  • 安装,不过安装失败

    yum install jdk-10.0.1.x86_64
    Loaded plugins: fastestmirror, post-transaction-actions
    Setting up Install Process
    Loading mirror speeds from cached hostfile
    qa_mav_centos6                                                                                                       | 1.2 kB     00:00
    qa_mav_centos6.7_noarch                                                                                              | 1.2 kB     00:00
    qa_mav_centos6.7_x86_64                                                                                              | 1.2 kB     00:00
    Resolving Dependencies
    --> Running transaction check
    ---> Package jdk-10.0.1.x86_64 2000:10.0.1-ga will be installed
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ============================================================================================================================================
    Package                          Arch                         Version                              Repository                         Size
    ============================================================================================================================================
    Installing:
    jdk-10.0.1                       x86_64                       2000:10.0.1-ga                       privateRepo                       306 M
    
    Transaction Summary
    ============================================================================================================================================
    Install       1 Package(s)
    
    Total download size: 306 M
    Installed size: 552 M
    Is this ok [y/N]: y
    Downloading Packages:
    Error Downloading Packages:2000:jdk-10.0.1-10.0.1-ga.x86_64: failure: jdk-10.0.1_linux-x64_bin.rpm from privateRepo: [Errno 256] No more mirrors to try.
  • 需要重新 createrepo

    createrepo /home/privateRepo/
  • 仍然安装失败

      [root@mtRobincmc001 yum.repos.d]# yum install jdk-10.0.1.x86_64
      Loaded plugins: fastestmirror, post-transaction-actions
      Setting up Install Process
      Loading mirror speeds from cached hostfile
      qa_mav_centos6                                                                                                       | 1.2 kB     00:00
      qa_mav_centos6.7_noarch                                                                                              | 1.2 kB     00:00
      qa_mav_centos6.7_x86_64                                                                                              | 1.2 kB     00:00
      Resolving Dependencies
      --> Running transaction check
      ---> Package jdk-10.0.1.x86_64 2000:10.0.1-ga will be installed
      --> Finished Dependency Resolution
      Dependencies Resolved
      Package                          Arch                         Version                              Repository                         Size
      ============================================================================================================================================
      Installing:
      jdk-10.0.1                       x86_64                       2000:10.0.1-ga                       privateRepo                       306 M
    
      Transaction Summary
      ============================================================================================================================================
      Install       1 Package(s)
    
      Total download size: 306 M
      Installed size: 552 M
      Is this ok [y/N]: y
      Downloading Packages:
      jdk-10.0.1_linux-x64_bin.rpm                                                                                         | 306 MB     00:04
      warning: rpmts_HdrFromFdno: Header V4 RSA/SHA1 Signature, key ID 230c0099: NOKEY
      Public key for jdk-10.0.1_linux-x64_bin.rpm is not installed
  • 导入public key

    gpg --export -a rpmsign@example.com > /home/privateRepo/example-com.key
  • yum添加gpgkey

    [privateRepo]
    name=privateRepo-gpg-test
    baseurl=file:///home/privateRepo
    enabled=1
    gpgcheck=1
    gpgkey=file:///home/privateRepo/privateRepo.key
  • 再次安装,安装成功

    root@mtRobincmc001 ~]# yum install jdk
    Loaded plugins: fastestmirror, post-transaction-actions
    Setting up Install Process
    Loading mirror speeds from cached hostfile
    qa_mav_centos6                                                                                                       | 1.2 kB     00:00
    qa_mav_centos6.7_noarch                                                                                              | 1.2 kB     00:00
    qa_mav_centos6.7_x86_64                                                                                              | 1.2 kB     00:00
    Resolving Dependencies
    --> Running transaction check
    ---> Package jdk-10.0.1.x86_64 2000:10.0.1-ga will be installed
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ============================================================================================================================================
    Package                          Arch                         Version                              Repository                         Size
    ============================================================================================================================================
    Installing:
    jdk-10.0.1                       x86_64                       2000:10.0.1-ga                       privateRepo                       306 M
    
    Transaction Summary
    ============================================================================================================================================
    Install       1 Package(s)
    
    Total download size: 306 M
    Installed size: 552 M
    Is this ok [y/N]: y
    Downloading Packages:
    jdk-10.0.1_linux-x64_bin.rpm                                                                                         | 306 MB     00:03
    Running rpm_check_debug
    Running Transaction Test
    Transaction Test Succeeded
    Running Transaction
      Installing : 2000:jdk-10.0.1-10.0.1-ga.x86_64                                                                                         1/1
    Unpacking JAR files...
      plugin.jar...
      javaws.jar...
      deploy.jar...
    cp: cannot stat `/usr/java/jdk-10.0.1/lib/desktop/icons/hicolor/16x16/apps/sun-java.png': No such file or directory
    cp: cannot stat `/usr/java/jdk-10.0.1/lib/desktop/icons/hicolor/16x16/apps/sun-javaws.png': No such file or directory
    cp: cannot stat `/usr/java/jdk-10.0.1/lib/desktop/icons/hicolor/48x48/apps/sun-java.png': No such file or directory
    cp: cannot stat `/usr/java/jdk-10.0.1/lib/desktop/icons/hicolor/48x48/apps/sun-javaws.png': No such file or directory
    cp: cannot stat `/usr/java/jdk-10.0.1/lib/desktop/icons/hicolor/48x48/apps/sun-java.png': No such file or directory
    cp: cannot stat `/usr/java/jdk-10.0.1/lib/desktop/icons/hicolor/48x48/apps/sun-javaws.png': No such file or directory
    Running post transaction command: /opt/mav/bin/mav-event "yum_event" "install jdk-10.0.1-10.0.1-ga.x86_64 @ %DTE% from privateRepo 2000"
      Verifying  : 2000:jdk-10.0.1-10.0.1-ga.x86_64                                                                                         1/1
    
    Installed:
      jdk-10.0.1.x86_64 2000:10.0.1-ga
    
    Complete!
  • 总结

    • /etc/yum.repos.d/privateRepo.repo 作用域为 yum 客户端
    • privateRepo.repo 中的 gpgcheck=1 只影响 install 环节,不影响服务器端的索引建立(createrepo),不过 加签后,需要重新 createrepo

安全的 RPM 私有库

  • 用 https 下载 RPM
  • 用 gpg 给 RPM 加签
  • 确保 gpgcheck=1
  • 用 https 下载 gpg 的公钥 public key

mumubin
375 声望185 粉丝

« 上一篇
Yum 学习笔记
下一篇 »
mount 学习笔记